[dmarc-discuss] RUA validation
Franck Martin
fmartin at linkedin.com
Tue Jan 31 13:10:27 PST 2012
The RUA and RUF are a request, no an obligation.
On 1/31/12 13:05 , "Murray S. Kucherawy" <msk at cloudmark.com> wrote:
>> -----Original Message-----
>> From: dmarc-discuss-bounces at blackops.org
>>[mailto:dmarc-discuss-bounces at blackops.org] On Behalf Of Jim Popovitch
>> Sent: Tuesday, January 31, 2012 12:56 PM
>> To: dmarc-discuss at dmarc.org
>> Subject: [dmarc-discuss] RUA validation
>>
>> What's to prevent me from registering billsgiftgivaway.tld and
>> assigning rua=bill.gates at microsoft.com... and then botnet'ing a spamrun
>> as From:gifts at billsgiftgivaway.tld .. If p=report/none (btw, there's
>> some ambiguity on that) then wouldn't a lot of ISPs pound
>> bill.gates at microsoft.com ?
>
>I don't see a "report" in the legal list of values for "p".
>
>It's currently legal for "rua" to contain a domain name since we say
>"rua" has to be a list of URIs, with support for "mailto" being
>mandatory, but no other constraints. We've gone back and forth on
>whether or not to allow domain names there. I imagine consensus could
>swing back the other way.
>
>The current specification leaves it to the Mail Receivers to decide
>whether or not to allow third party reporting in the way you suggest.
>That is, one could detect that the report is addressed outside the
>evaluated domain and decide not to send them. I'd agree that maybe this
>ought to be a SHOULD in favour of ignoring such requests, with the
>exception being explicit prior arrangement to allow them.
>
>One could even say that the domain part of a "mailto" MUST be ignored, or
>that mismatched domains mean the entire URI MUST be ignored, because a
>Domain Owner could simply create an alias to the third party that is to
>receive the reports. However, we can't say the domain MUST NOT be there,
>because the syntax of "mailto" allows them, and then the two would be in
>conflict.
>
>Any other opinions?
>
More information about the dmarc-discuss
mailing list